On Wed, 16 Oct 2019, Paolo Bonzini wrote: > On 25/09/19 20:09, Sean Christopherson wrote: > > - Remove KVM loading of MSR_TEST_CTRL, i.e. KVM *never* writes the CPU's > > actual MSR_TEST_CTRL. KVM still emulates MSR_TEST_CTRL so that the > > guest can do WRMSR and handle its own #AC faults, but KVM doesn't > > change the value in hardware. > > > > * Allowing guest to enable split-lock detection can induce #AC on > > the host after it has been explicitly turned off, e.g. the sibling > > hyperthread hits an #AC in the host kernel, or worse, causes a > > different process in the host to SIGBUS. > > > > * Allowing guest to disable split-lock detection opens up the host > > to DoS attacks. > > > > - KVM advertises split-lock detection to guest/userspace if and only if > > split_lock_detect_disabled is zero. > > > > - Add a pr_warn_once() in KVM that triggers if split locks are disabled > > after support has been advertised to a guest. > > > > Does this sound sane? > > Not really, unfortunately. Just never advertise split-lock detection to > guests. If the host has enabled split-lock detection, trap #AC and > forward it to the host handler---which would disable split lock > detection globally and reenter the guest. Which completely defeats the purpose. 1) Sane guest Guest kernel has #AC handler and you basically prevent it from detecting malicious user space and killing it. You also prevent #AC detection in the guest kernel which limits debugability. 2) Malicious guest Trigger #AC to disable the host detection and then carry out the DoS attack. Try again. Thanks, tglx
